In order to gain access to applications or other resources via a computer or other user device, users are often required to authenticate themselves by entering authentication information. Such authentication information may comprise, for example, passwords that are generated by a security token carried by a user. These passwords may be one-time passwords that are generated using a time-synchronous or event-based algorithm. One particular example of a well-known type of security token is the RSA SecurID® user authentication token commercially available from RSA Security Inc. of Bedford, Mass., U.S.A.
Generally, such security token-based authentication techniques provide one-time authentication at the beginning of a session to verify a user (often referred to as single sign-on authentication techniques). U.S. Pat. No. 7,562,221 to Nyström et al., assigned to the assignee of the present invention and incorporated by reference herein, also discloses single sign-on authentication techniques that allow multiple accesses by a user to one or more applications or other resources.
With the increasing prevalence of malicious software (malware) and hackers, however, one-time authentication at the beginning of a session may not provide sufficient security. Malware includes computer viruses, Trojan horses, worms and other malicious and unwanted software programs. Trojan horses, for example, can install themselves on user machines without being perceived by the user. Trojan horses may then enable a controller to record keyboard entries from an infected machine (e.g., Key Loggers), listen in on conversations (e.g., Man in The Middle or MiTM), or even hijack an HTTP session from within a browser (e.g., Man in The Browser or MiTB). In this manner, Trojan horses can secretly obtain user names and passwords, or alter transactions as they occur. Thus, the user may think he or she is performing a legitimate transaction (e.g., paying a bill) but in reality the user is sending money to another account. Trojan horses also allow session hijacking, whereby a remote fraudster performs transactions via the user's infected machine.
Thus, improved security techniques are needed to reduce the susceptibility of a user to such malware and hacking. In addition, improved security techniques are needed that authenticate a user multiple times over the course of a session.